Leveraging Knowledge to Manage Your Data Risks

On November 30, 2016, The Home Depot, Inc. (Home Depot) got a victory in the shareholders’ derivative suit filed against it for its alleged failure to institute necessary controls to secure its data relating to its 2014 customer data breach. U.S. District Judge Thomas W. Thrash Jr. dismissed all claims against Home Depot: breach of duties of care and loyalty, wasted corporate assets, violations of the Security Exchange Act, and failure to fulfill security standards such as maintaining a firewall, protections against malware, updates to its anti-virus software, and regulatory testing its data security systems.

The data breach compromised financial information of over 56 million Home Depot customers, which led to nearly $10 billion in exposure for Home Depot as a result of this breach. Despite this financial setback, Judge Thrash ruled that shareholders, Mary Lou Bennek and Cora Frohman cannot pursue their suit against current and former Home Depot officers because they could not show beyond a reasonable doubt that the board was actually liable by “consciously fail[ing] to act in the face of a known duty to act.” Judge Thrash said, “This is an incredibly high hurdle for the plaintiffs to overcome, and it is not surprising that they fail to do so.” “In other words, as long as the outside directors pursued any course of action that was reasonable, they would not have violated their duty of loyalty… the board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one,” but was protected by the business judgment rule. Lastly, Judge Thrash said, “the plaintiffs have failed to specify which statements in the 2014 and 2015 proxy statement [required by the Securities Exchange Act] were rendered misleading or false by the omissions, have failed to show the materiality of the Audit Committee omission, and have failed to show causation.”

Last week, a California federal judge, U.S. District Judge Cormac J. Carney, denied a request for class certification in the Telephone Consumer Protection Act (TCPA) class action against Dick’s Sporting Goods Inc. (Dick’s) because the court determined that the named plaintiff, Phillip Nghiem, was not an adequate class representative. Dick’s presented evidence to the court showing that Nghiem did sign up for multiple mobile alert programs (and also signed up for Dick’s program during the time when his law firm had already alerted the retailer of possible TCPA violations), as well as evidence of the simple fact that Nghiem is a plaintiffs’ attorney specializing in consumer disputes. Judge Carney found that this evidence made Nghiem an inadequate class representative and that his claims were untypical from the rest of the consumers.

Judge Carney also stated in his decision that Ninth Circuit authority directs district courts not to grant class certification if there is a danger that absent class members will suffer if their representative is preoccupied with defenses unique to it.

However, Judge Carney did rule against Dick’s argument that named plaintiff, attorney Phillip Nghiem, had not alleged a concrete and particularized injury, and therefore lacked standing; Judge Carney instead ruled that TCPA violations necessarily cause harm to consumers, and thus such claims can satisfy the Supreme Court’s ruling in Spokeo v. Robins (i.e. that the violation of a procedural right granted by a statute can be sufficient in some circumstances to constitute injury-in-fact).

Nghiem filed this lawsuit back in January, alleging that Dick’s violated the TCPA on at least eight occasions when text messages were sent to his cell phone by an automatic telephone system after he had revoked his consent for Dick’s to do so.

L.A. Tan, a tanning salon chain, will pay $1.5 million to settle violations of the Illinois Biometric Information Privacy Act (BIPA) by obtaining customer fingerprints without their consent and failing to properly inform them of how the data would be stored. Each class member will receive between $125 to $150. Counsel to the class will receive $600,000 and the class representative, Klaudia Sekura, will receive $5,000. The settlement class includes customers who had their fingerprints scanned at an Illinois L.A. Tan salon between November 13, 2013, and August 11, 2016.

BIPA requires that individuals give their written permission before any biometric identifiers (like fingerprints in this case) are collected by a business. It also requires proper notification about how the data will be stored, used and destroyed, and prohibits the selling of the information.

Cook County Circuit Judge Rodolfo Garcia said in his decision, “The court finds that the consideration to be paid to members of the settlement class is reasonable, considering the facts and circumstances of the claims and affirmative defenses available in the action and the potential risks and likelihood of success of alternatively pursuing trials on the merits.” This marks the first settlement under the Act.

Last July, the United States and the European Union agreed on a new framework to allow for the transfer of Europeans’ personal data to the United States. This new framework, known as Privacy Shield, replaced the Safe Harbor Principles which the European Court of Justice struck down over concerns about the U.S.’s government’s online data surveillance activities.

The architects of Privacy Shield sought to address the Court’s concerns by including in it mechanisms allowing Europeans to raise claims about U.S. spying, including through a new ombudsman at the U.S. State Department. However, European advocacy groups have challenged the adequacy of these mechanisms. First, advocacy group Digital Rights Ireland sued the European Commission in the Court of Justice of the EU. Most recently, three French organizations, La Quadrature du Net, a French privacy advocacy group, French Data Network, a non-profit Internet service provider, and ISP industry association Federation brought an action in Luxembourg-based General Court challenging the E.U.’s adoption of the Privacy Shield.

These actions challenge whether the U.S. ombudsman is really independent of the U.S. government, as well as raise concerns about U.S., bulk data collection efforts and how the data may be used by U.S. law enforcement and intelligence agencies. It is unknown how these cases will be resolved. Until a resolution, many U.S. companies will rely on the Privacy Shield to facilitate the transfer of personal data from the E.U. To date, more than 1,500 U.S. companies have registered or applied for Privacy Shield certification. Other companies have elected to use the model clauses or other mechanism to enable the cross-border transfer of personal data, until the Privacy Shield legal challenges are resolved.

The Drone Manufacturers Alliance (DMA) has voiced approval of President-elect Donald Trump’s nomination of Elaine Chao as the next U.S. Secretary of Transportation in its November 9 letter to Trump and the Trump-Pence Transition Team. But with that approval comes a request for Trump to “pursue a balanced legal and regulatory framework for unmanned aircraft systems (UAS).” DMA’s Director, Kara Calvert, said, “Secretary Chao is a proven leader, and we are encouraged by her long-held approach to balanced regulation. We look forward to working with her and her team on policies that promote innovation and allow the drone market to flourish in a responsible and safe manner.” DMA also cited to an Associated Press article stating that Secretary Chao would not be “especially inclined to second-guess the industry” on the safety of new technology, like UAS.

Secretary Chao served under President Bush’s administration for eight years back in 2001 when she was elected U.S. Secretary of Labor. In President-elect Trump’s press release regarding his nomination, he said, “Secretary Chao’s extensive record of strong leadership and her expertise are invaluable assets in our mission to rebuild our infrastructure in a fiscally responsible manner.”

While the DMA praises the efforts of the Federal Aviation Administration’s (FAA) administrator, Michael Huerta, for ‘making it clear’ that drones are beneficial to the U.S. and that they should be safely integrated into the national airspace, the DMA hopes to send a message to the new administration stating, “We urge your administration to continue the trend. If we move forward with a balanced regulatory structure, we believe the market will meet the projections of $82.1 billion in economic impact and 100,000 jobs by 2025.” The letter also includes DMA’s ‘top policy priorities’ which include education; establishing a micro UAS rule; preserving the role of the FAA and Congress; protecting the freedom of model aircraft operators; and privacy protections –but without strict technological mandates that may impede technological developments. DMA says it is “very excited” to work with Trump, his transition team and his newly elected administration “on a range of policy questions related to drones.” The full letter can be found here.

On December 6, 2016, The Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy and Consumers Union filed a Complaint and Request for Investigation, Injunction and Other Relief (Complaint) with the Federal Trade Commission (FTC) against Genesis Toys (Genesis) and Nuance Communications (Nuance) regarding alleged violations of the Children’s Online Privacy Act (COPPA) and unlawful unfair and deceptive practices within the meaning of Section 5 of the FTC Act. Genesis sells the My Friend Cayla (Cayla) and the i-Que Intelligent Robot (i-Que) toys. Cayla and i-Que are interconnected toys that talk and interact with children through capturing, storing and analyzing spoken communications utilizing Nuance’s systems and technology. Each toy consists of a physical doll with Bluetooth and a connected mobile app. The toys collect personal information concerning the child and transmit the information to Nuance for storage and processing. The Complaint includes an analysis of each privacy policy, terms of service, various notifications, and user acceptance, including parental permission for collection and use of information concerning children under the age of thirteen. As described in the Complaint, the policies and terms of use are inconsistent, fail to inform of the actual use of the information and do not contain the appropriate parental consent mechanisms. Further, the Complaint alleges that manner of storage and sharing of the collected information is unclear and may exceed what is necessary for use of the toy. The Complaint also identifies a technical flaw that would, under certain circumstances, allow unauthorized parties with a cell phone within Bluetooth range to listen in on the child and even communicate directly with the child. The BBC has reported that an additional complaint has been filed by the Norwegian Consumer Council in Norway, and additional complaints are planned in France, Sweden, Greece, Belgium, Ireland and the Netherlands.

A recent report from Imperva, Inc. has identified a Phishing as a Service (PhaaS) being offered on a Russian website. The United States Computer Emergency Readiness Team defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.” According to a report in June 2016 by PhishMe, 93% of phishing emails contain ransomware. Ransomware has crippled hospitals, school districts and police agencies among others. The Imperva report states that for approximately $4,200 per month, users can buy a managed service which will set up a complete phishing scheme, from emails to web pages to back end storage. The purchaser does not need any real technical skills in order to initiate an attack. Imperva estimates that if 1,000 credentials are compromised per day for a 14 day period, there is a positive return on investment. Imperva concludes “[t]he industrialization of PhaaS is a significant threat to cyber security given the role it plays in the distribution of malware. Phishing is the starting point for most cybercrimes. The best way to control the phishing menace is by limiting access to web servers and thereby throwing a wrench into the business model. Financial motivation is the key factor in all cybercrimes. Increasing the financial resources needed to launch large-scale automated attacks is the only way to curb the growth of phishing.”

Blippar, an augmented reality app, recently released its facial-recognition software which allows users to scan faces with their smartphones. The Blippar app makes it possible for people to scan faces (from print, TV or in real life) and learn the person’s name and other information.

Co-Founder and CEO of Blippar, Ambarish Mitra, says, “Our facial recognition technology combined with our knowledge graph enables people to express themselves through things they love, including their hobbies, opinions, key fun facts and so much more.” A database of over 70,000 public figures has already been created; users will also be able to scan their own face in order to add their face and personal information to the database. The biggest concern with Blippar is users’ ability to add people’s faces to the database without their permission.

In addition to facial recognition, the Blippar software can recognize brands, everyday objects or even works of art. Keep your eyes open for more apps like Blippar’s as facial recognition software becomes more easily accessible and affordable. And be aware that your face may be added to a database like this one –without you even knowing.

While law enforcement have access to new technology owned by third parties that assist them with protecting the public, questions arise as to who should own the data gathered by that technology. Sometimes, it is the technology provider itself which blocks public access to the data. For example, many police departments have contracted with ShotSpotter, Inc., for its gunshot detection technology. This tool permits police to learn of gun discharges that are detected using proprietary equipment and software owned by ShotSpotter. ShotSpotter, however, claims that the data gathered by its tool is also proprietary, and thus prohibits the police department from sharing the data with the public or other government agencies unless an additional fee is paid. Accordingly, although the data was paid for once by the police (using taxpayer resources), researchers and other members of the public are generally forced to a second fee to access the data, or submit a creative public records request to acquire data adjacent to the proprietary information. As these third party crime fighting technologies becomes more prevalent and important to lawyers, researchers, and the public in general, courts may be forced to contend with the contract legality of broadly blocking access to data already paid for by police departments, and that is obtained by capturing information from public space using new technologies.

If you are considering purchasing a drone this holiday season, make sure to check out the newly launched online training course created by the Unmanned Safety Institute (USI) designed specifically for drone hobbyists. This new course, called SAFEGUARD, is about one hour long and covers safety topics such as understanding airspace, identifying and avoiding hazards, weather effects on drones, planning safe flights, and current Federal Aviation Administration (FAA) regulations. SAFEGUARD is for all skill levels and can be accessed and purchased via www.FlySafeguard.com (or even through Amazon, Sporty’s Pilot Shop and other retailers, too).

And if you decide to take your drone flying hobby to the next level, and start using drones for commercial purposes (of course be sure to follow FAA regulations), SAFEGUARD provides each user with a record of completion which is redeemable through some of USI’s insurance partners for a discount on insurance.

Disclaimer

This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Any opinions expressed on this Blog/Website are opinions only of the author, expressed at the time the material is written based on information available to the author at that time, and are not opinions of the author's law firm or any of the author's or the law firm's clients. This Blog/Website is not intended to be attorney advertising. To the extent it might be deemed to be attorney advertising, it should not be considered advertising or to be seeking legal work in any jurisdiction in which the author is not admitted to practice law (i.e., jurisdictions other than Connecticut, Massachusetts, and various federal courts).

Stay Connected

About Robinson+Cole

Robinson+Cole is an Am Law 200 firm with 200 lawyers in nine offices serving regional, national, and international clients, from start-ups to Fortune 500 companies. Since 1845, Robinson+Cole has expanded to meet the changing needs of clients. The firm represents corporate, governmental, and nonprofit entities, as well as individual clients, in a wide range of matters, including corporate; business and insurance litigation; tax and tax-exempt; finance; public finance; land use, environmental and utilities, and real estate; health law; labor, employment, and benefits; intellectual property and technology; privacy and data security; and government relations.